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[57] ABSTRACT 

The present invention discloses a method of protecting 
a pseudorandom (PN) signal generated by a linear 
Feedback Shift Register (LFSR) from cryptographic 
attack. This is accomplished by first receiving a PN 
output signal generated by an LFSR, or by clocking an 
LFSR to produce a PN output signal. Thereafter, non- 
linearity is deterministically introduced into the PN 
signal to produce a deterministic bit pattern. According 
to the suggested embodiments, the introduction of non- 
linearity is accomplished by altering at least one bit of 
the PN signal sequence. Next, the deterministic bit pat- 
tern is substituted in place of the LFSR PN signal, 
thereby protecting the PN signal from cryptographic 
attack. 

20 Claims, 2 Drawing Sheets 
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5,060, 

METHOD OF PROTECTING A LINEAR 
FEEDBACK SHIFT REGISTER (LFSR) OUTPUT 
SIGNAL 

5 

TECHNICAL FIELD 

The present invention relates generally to a crypto- 
graphic method and system. In so doing, it addresses the 
use of a linear feedback shift register (LFSR) as a pseu- 
dorandom signal generator. Specifically, however, the 10 
present invention pertains to a cryptographic method 
and apparatus wherein a LFSR output signal is made 
non-linear and thereby protected from cryptographic 
attack. 

IS 

BACKGROUND OF THE INVENTION 

LFSRs are well known in the an. Typically, these 
devices are utilized in operations where the generation 
of a pseud onoise/pseudorandom (PN) signal is re- 
quired. A PN signal is a binary signal, which appears to 20 
be random. In reality, a PN signal is not random at all; 
it is a deterministic, periodic signal whose periodicity is 
dependent upon the number of stages within the LFSR, 
the feedback taps, and the LFSR's initial conditions. 
Typical operations employing LFSR's as PN signal 25 
generators are: spread spectrum systems, noise genera- 
tors, and cryptographic systems hereinafter referred to 
as cryptosystems. 

FIG. 1 depicts a simplistic representation of an LFSR 
100. Mathematically, the LFSR defines an Nth degree 30 
polynomial (where N is the length of the LFSR) with 
one coefficient for each "tap" (output bit) used to form 
the feed back signal. Accordingly, the LFSR 100 is 
definable as a forth degree polynomial, comprising the 
four stages 11-14, with feedback signal T l, which per- 35 
forms an exclusive-or operation on the output of stage 
13 and 14 and feeds that operation back to the input of 
stage 11. 

It will be appreciated by those skilled in the an that 
the LFSR 100 is a simplistic mode! of a PN signal gener- 40 
ator, for use as, for example, the encryption key, which 
dictates a specific encryption transformation for a cryp- 
tosystem. This particular example was selected primar- 
ily to show that an LFSR Of the Nth degree is ulti- 
mately periodic in 2" — 1 bits (see Table. I). 45 

In the preferred embodiment, LFSR 100 comprises a 
64 stage shift register, providing a 64th degree polyno- 
mial. Approximately 32 taps are used to create the de- 
sired PN signal. Accordingly, the 64 bit maximal length 
LFSR will produce a digital sequence having approxi- 50 
mately 1.84X 1 Orbits. At 12 KHz, it would take nearly 
50 million years for this sequence to repeat. As PN 
signal generators increase in sophistication, typical val- 
ues reach 80 to 100 stages with anywhere from 40 to 50 
taps, in which case the sequences can be expected to 55 
repeat every 4X 10 16 years. 

The primary goal of any cryptosystem is to prevent 
the unauthorized introduction (spoofing) or extraction 
(eavesdropping) of information from the communica- 
tion channel. Since the previously discussed encryption 60 
keys repeats so infrequently, one might suppose that a 
cryptosystem utilizing these keys would be uncondi- 
tionally secure. Unfortunately, any cryptosystem that 
uses an LFSR to generate the encryption key is ex- 
tremely vulnerable to attack- 65 

The Cryptosystems weakness is caused by the 
LFSR's linearity. Since the PN signal is generated by an 
algorithm, knowledge of the algorithm reveals the en- 
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tire sequence. While it takes 2 n — 1 bits for a PN se- 
quence to repeat, a cryptanalyst needs only 2 n bits of 
plaintext and its corresponding ciphertext to determine 
the feedback taps, the initial state of the register, and 
ultimately the entire PN signal. This vulnerability rep- 
resents a major drawback to the continued use of 
LFSRs in modern cryptosystems. 

Accordingly, it would be extremely advantageous to 
provide a cryptographic method and apparatus wherein 
the PN signal of an LFSR is made non-linear, thereby 
rendering the cryptosystem virtually indecipherable. 

SUMMARY OF THE INVENTION 

Accordingly, a general object of the present inven- 
tion is to provide a cryptographic method and appara- 
tus. 

It is another object of the present invention to pro- 
vide a cryptographic method and apparatus utilizing a 
LFSR to generate a PN signal. 

It is the ultimate object of the present invention, how- 
ever, to provide a cryptographic method and apparatus 
wherein the PN signal is made non-linear, thereby ren- 
dering the cryptosystem virtually indecipherable. 

These and other objects are achieved by the present 
invention which is briefly described as a method of 
protecting a Linear Feedback Shift Register (LFSR) 
output signal. This invention is based on the recognition 
that after the capture of 2 n bits of ciphertext and its 
plaintext equivalent, a cryptanalyst, using known tech- 
niques, can easily decipher the algorithm that generates 
the entire PN sequence. Accordingly, the present in- 
vention discloses a method and apparatus for protecting 
the pseudorandom (PN) signal generated by a Linear 
Feedback Shift Register (LFSR) from cryptographic 
attack. This is accomplished by introducing non- 
linearity into the PN signal generated by an LFSR. 

In one embodiment non-linearity is introduced by 
altering the state of at least one bit of the PN signal in 
order to produce a deterministic bit pattern. This bit 
pattern is then used as the cryptosy stem's PN signal 
instead of the LFSR PN signal. In an alternative em- 
bodiment, the location of at least one bit of the PN 
signal is repositioned in order to once again introduce 
non-linearity into the otherwise linear output of an 
LFSR. In this fashion, the cryptanalyst's task is made 
increasingly more difficult, thereby rendering the cryp- 
tosystem virtually impervious to attack. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIGS, la and lb depict a. simple LFSR representa- 
tion; 

FIG. 2 depicts a model cryptographic channel; and 
FIG. 3 depicts a portion of the cryptosystem accord- 
ing to the present invention. 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENT 

A principal application of the present invention is for 
a PN signal generator like those employed in the field of 
cryptography. FIG. 2. depicts a model of a crypto- 
graphic channel 200. In operation, a message, or plain- 
text M, is encrypted via transformation, £ k, to produce 
ciphertext, C=E*(M). The ciphertext is then transmit- 
ted over lo an insecure or public channel. When an 
authorized listener receives the ciphertext C, she deci- 
phers it with the inverse transformation, Dk = Ek~ i , to 
obtain the original plaintext message as follows: 
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switch S2 would be replaced by a signal invertor. Ac 

Di{C)=Ek- ] [Et(M))=M (i). cordingly, upon each comparison by the comparator 

_ v , , . 330, the state of at least one bit of the PN sequence 

The parameter K refers to a set of characters or sym- u ^. fa Again, this process of masking at 

bols called a key, which dictates the encryption trans- < , . .. , , „ VT • et t 

formations *k and Ok. In the cryptosystern of FIG. 2, > east onc . b " °' thc PN sequence is an effective means of 

the key K is manipulated by PN signal generators 210 deterministically introducing non-linearity into the PN 

and 220 to create a key stream. This key stream is ulli- sequence, thereby rendering the original PN sequence 

mately exclusiveored with the plaintext M for encryp- virtually impervious to attack. 

tion and with the ciphertext C for decryption. Anyone 10 Yet another embodiment suggests that non-linearity 

having access to the key therefore, can encrypt and may be deterministically introduced into the PN sc- 

decrypt plaintext messages. Accordingly, the key is quence of an LFSR output by altering the relative posi- 

transmitted between authorized users via secure chan- tion of at least one bit of the original PN sequence upon 

nels only. In a cryptographic attack, the goal of the the occurrence of some specified trigger condition, 
cryptanalyst is to produce an estimate of the plaintext J5 Accordingly, unique to the present invention is the 

message, M, by analyzing the ciphertext obtained from deterministic introduction of non-linearity into the PN 

the public channel, without benefit of the key. sequence of an LFSR output signal in order to protect 

As previously discussed, when the PN s.gnal genera- thc LFSR , from cryptographic attack . In this 

tors 210 and 220 employ LFSRs, the cryptosystern fashj ^ j . ^ u made jncreasj , 

becomes extremely vulnerable to attack. This attack, „ rt _ ..„. u ~. . . . ... . 

known as a plaintext attack, involves knowledge of the 20 mo " ^mcult thereby rendenng the cryptosystern vir- 

plaintext and knowledge of its ciphertext counterpart. tuall . y decipherable. While particular embodiments of 

Armed with this information the competent cryptana- the inventl ° n hav e been described herein, it will be 

lyst can successfully decrypt the message intercepted obvious that additional modifications may be made 

from the public channel. While knowledge of the plain- without departing from the spirit of this disclosure, 

text will not always be readily available to the cryptana- 25 111 summary, the present invention discloses a a 

lyst, plaintext attacks occur with sufficient frequency method of protecting a pseudorandom (PN) signal gen- 

that no cryptosystern is considered secure unless it is crated by a Linear Feedback Shift Register (LFSR) 

designed to defeat this threat. from cryptographic attack. This is accomplished by 

In order to secure the system against such crypto- first receiving a PN output signal generated by an 

graphic attacks, the present invention suggests the in- 30 LFSR, or by clocking an LFSR to produce a PN output 

traduction of non-linearity into the PN signal sequence. s i gna l. Thereafter, non-linearity is deterministically 

To aid in this discussion, refer to FIG. 3. FIG. 3 depicts introduced into the PN signal by masking or ignoring 

a portion of the cryptosystern according to the present thc 5tatc of at least one bit of ^ pN si ^ or f j. 

invention In operation, LFSR 300. which is capable of tioni the location of at least one bit of the PN s f , 

being implemented via flip flops, latches, shift registers, " tQ ^ a deterministic bit ttem . Next| the d * er _ 

working registers, memory device addresses, or as a • • . „ . . *\ . . ' ' T 

software variable is identical to the LFSR 100 previ- m i mSUC * rt J 3 " 6 " 1 15 ^sututed in place of the LFSR 

ously discussed. PN signal, thereby protecting the PN signal from cryp- 

According to the present invention, the LFSR 300 tographic attack, 

content is modulo-two added to the content of one of a 40 What IS claimcd ,s: 

plurality of selectively addressed registers 320-327 via A method of protecting a pseudorandom (PN) 

exclusive-or gate 310. This summation generates an si 8 nal generated by a Linear Feedback Shift Register 

address signal which can be any function of the LFSR (LFSR) from cryptographic attack comprising the steps 
and register contents. The address is then transmitted 

along address bus 315 to address a preprogrammed 43 deterministically introducing non-linearity into the 

RAM look-up table 350. Thereafter, a RAM look-up PN signal to produce a deterministic bit pattern; 

table entry corresponding to the address signal is sent to and 

the comparator circuit 330. The comparator 330 com- substituting the deterministic bit pattern for the PN 

pares the RAM look-up table entry with a reference bit signal, 

pattern, in this case, the contents of the register sclec- 50 whereby the PN signal is protected from crypto- 

tively added to the LFSR's content. It will be appreci- graphic attack. 

ated that other reference bit patterns are available, as 2 . The method of claim 1 wherein the step of deter- 

for example, the LFSR contents, flip flop contents, ministically introducing non-linearity into the PN signal 

latch contents, shift register contents, working register furthcr compriscs thc stcp of: 

contents, memory device address contents, or the con- « ^ at ^ me bU Qf pN 

tents of a software variable. , — . ° „. . r , . - , ,° , . . 

Assuming the look-up table entry and the reference * ™ e me ^f ? t fT * * h ™ t * P ° ^ 

bit pattern values do not compare, the LFSR 300 output at lcast onc blt of thc PN S1 * nal further mcludcs lhe ■ 

signal will not be altered. Upon a comparison, however, steps of: 

the comparator 330 will direct switch S2, via control 60 addm « at least a P ortlon of the LFSR content to at 

line 332, to open. According to this embodiment, each least a P° rtIon of the register content to obtain an 

comparison will cause at least one bit to be dropped address; 

from the PN sequence generated by the LFSR300. This fetching a look-up table entry from a look-up table at 

process of ignoring at least one bit of the PN sequence a location corresponding to the address; and 

is but one way of deterministically introducing non- 65 comparing the look-up table entry to a reference to 

linearity into the PN sequence of an LFSR. determine a match. 

Another alternative suggests simply masking at least 4. The method of claim 3 wherein the step of adding 

one bit of the PN sequence. In such an embodiment, is a modulo-two addition. 
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5. The method of claim 2 wherein the step of altering 
at least one bit of the PN signal is an alteration selected 
from the group of alterations consisting of: 

masking the state of at least one bit of the PN signal; 
ignoring the state of at least one bit of the PN signal; 5 
and 

repositioning the location of at least one bit of the PN 

signal, 
upon a comparison. 

6. The method of claim 2 wherein the reference is a 10 
bit pattern selected from the group of bit patterns con- 
sisting of: 

LFSR contents; 
flip flop contents; 

latch contents; 15 

shift register contents; 

working register contents; 

memory device address contents; and 

software variable contents. 

I. A method Of protecting a pseudorandom (PN) 20 
signal generated by a Linear Feedback Shift Register 
(LFSR) from cryptographic attack comprising the steps 
of: 

clocking an LFSR to produce a PN signal; 

altering at least one bit of the PN signal to produce a 25 

deterministic bit pattern; and 
substituting the deterministic bit pattern for the PN 

signal, 

whereby non-linearity is detenninistically introduced 
into the PN signal to protect it from cryptographic 30 
attack. 

8. The method of claim 7 further comprising the step 
of: 

initializing the LFSR to an initial state. 

9. The method of claim 7 wherein an LFSR is a me- 35 
dium selected from the group of storage media consist- 
ing of: 

flip flops; 
latches; 

shift registers; 40 

working registers; 

memory device addresses; and 

software variables. 

10. The method of claim 7 wherein the step of alter- 
ing at least one bit of the PN signal further includes the 45 
steps of: 

adding the LFSR content to a register content to 

obtain an address; 
fetching a look-up table entry from a look-up table at 

a location corresponding to the address; and SO 
comparing the look-up table entry to a reference to 

determine a match. 

II. The method of claim 10 wherein the step of add- 
ing is a modulo-two addition. 

12. The method of claim 10 wherein the step of alter- 55 
ing at least one bit of the PN signal is an alteration 
selected from the group of alterations consisting of: 

masking the state of at least one bit of the PN signal; 
ignoring the state of at least one bit of the PN signal; 

and 60 
repositioning the location of at least one bit of the PN 

signal, 
upon a comparison. 

13. The method of claim 10 wherein the reference is 

a bit pattern selected from the group of bit patterns 65 
consisting of: 

LFSR contents; 

flip flop contents; 



latch contents; 

shift register contents; 

working register contents; 

memory device address contents; and 

software variable contents. 

14. A method of protecting the pseudorandom (PN) 
sequence generated by a Linear Feedback Shift Regis- 
ter(LFSR) from cryptographic attack comprising the 
steps of: 

clocking an LFSR to produce an PN sequence; 
adding at least a portion of the LFSR's content to a 

register content to obtain an address; 
fetching a look-up table entry from a look-up table at 

a location corresponding to the address; 
comparing the look-up table entry to a reference to 

determine a match; 
altering at least one bit of the PN sequence upon a 

comparison, to produce a deterministic bit pattern; 

and 

substituting the deterministic bit pattern for the PN 
sequence, 

whereby non-linearity is deterministically introduced 
into the PN signal to protect it from cryptographic 
attack. 

15. The method of claim 14 wherein an LFSR is a 
medium selected from the group of storage media con- 
sisting of: 

flip flops; 

latches; 

shift registers; 

working registers; 

memory device addresses; and 

software variables. 

16. The method of claim 14 wherein the step of add- 
ing is a modulo-two addition. 

17. The method of claim 14 wherein the step of alter- 
ing at least one bit of the PN sequence is a alteration 
selected from the group of alterations consisting of: 

masking the state of at least one bit of the PN se- 
quence; 

ignoring the state of at least one bit of the PN se- 
quence; and 

repositioning the location of at least one bit of the PN 
sequence. 

18. The method of claim 14 wherein the reference is 
a bit pattern selected from the group of bit patterns 
consisting of: 

LFSR contents; 

flip flop contents; 

latch contents; 

shift register contents; 

working register contents; 

memory device address contents; and 

software variable contents; 

19. An apparatus for protecting the pseudorandom 
(PN) signal generated by a Linear Feedback Shift Reg- 
ister (LFSR) from cryptographic attack comprising: 

means for deterministically introducing non-linearity 
into a PN signal to produce a deterministic bit 
pattern; and 

substituting means, coupled to the means for deter- 
ministically introducing non-linearity, for substitut- 
ing the the deterministic bit pattern for the PN 
signal, 

whereby the PN signal is protected from crypto- 
graphic attack. 

20. An apparatus for protecting the pseudorandom 
(PN) sequence generated by a Linear Feedback Shift 
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Register (LFSR) from cryptographic attack compris- 
ing: 

LFSR means for producing a PN sequence; 

altering means, coupled to the LFSR means, for alter- 
ing at least one bit of the PN sequence to produce 
a deterministic bit pattern; and 

substituting means, coupled to the altering means, for 



8 



substituting the deterministic bit pattern for the PN 
sequence, 

whereby non-linearity is deterministically introduced 
into the PN signal to protect it from cryptographic 
attack. 
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UNITED STATES PATENT AND TRADEMARK OFFICE 

CERTIFICATE OF CORRECTION 

PATENT NO. : 5,060,265 
DATED : October 22, 1991 

INVENTOR(S) : Louis D. Finkelstein 

It is certified that error appears in the above-identified patent and that said Letters Patent is hereby 
corrected s shown below: 

In column 4, line 42, claim 1, delete "Linear Feedback Shift Register 
(LFSR) " and insert — PN signal generator — . 

In column 4, line 60, claim 3, delete "LFSR" and insert — PN signal 
generator — . 

In column 4, line 61, claim 3, delete "the" and insert — a — . 
In column 5, line 10, claim 6, delete "2" and insert — 3 — . 
In column 5, line 20, claim 7, delete "Of" and insert — of — . 
In the Abstract, line 2, "linear" should be --Linear—. 



Attest. 



Signed and Sealed this 
Thirty- first Day of August, 1993 



BRUCE LEHMAN 

Attesting Officer Cnmmiisioner of Pattnts and Trademarks 
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